IPv6 Extension Headers and Network Security

Bill Cerveny, Internet2

Andrew Lake, Albion College

Summer 2005 Joint-Techs

Vancouver, BC

2

Outline

• Description of event• Breakdown and diagnosis of what

happened• Recommendations

3

Initial Environment

Ann Arbor iperf client

Chicago iperf server

Filtering router

Client: iperf –c chicago –b 10m –u –V –p xxxx Server: iperf –s –u –V –p xxxx

4

Problem and Diagnosis

• In a nutshell, a straightforward IPv6 iperf test wasn’t working• UDP port on filtering router was opened up• Still didn’t work

• Ran iperf from Ann Arbor to a different server in New York• Worked as expected

5

Iperf Test Failure Analysis

Client: iperf –c chicago –u –V –p xxxxServer: iperf –s –u –V –p xxxx

6

Abilene Traffic Graphs

• “v6-udp” graph

• “v6-other” graph

http://vixen.grnoc.iu.edu/jfirewall-viz/v6_index.html

Pseudocode fragment:filter v6filter {if multicast

Count v6-multielseif tcp

Count v6-tcpelseif udp

Count v6-udpelseif otherheader

Count v6-other}

7

IPv4 vs IPv6

The IP Packet

IPv4 Packet (No Options) IPv6 Packet (No Extensions)

8

IPv4 vs IPv6

IPv6 Extensions

IPv4 Packet (no Options) IPv6 Packet (with Extensions)

9

Recommended order of headers in an IPv6 packet (RFC 2460)

Recommended order of headers in an IPv6 packet:

1. IPv6 header (40 bytes)2. Hop-by-hop options header (variable)3. Destination options header (1) (variable)4. Routing header (variable)5. Fragment header (8 bytes)6. Authentication header (variable)7. Encapsulation Security Payload header

(variable)8. Destination options header (2) (variable)9. Upper-layer header (for example, TCP or

UDP)

10

IPv4 vs IPv6

Fragmentation

IPv4 Fragment IPv6 Fragment

11

IPv4 Fragment IPv6 Fragment

Routers and Filter Packet Handling

• When the router sees an IPv4 packet, it looks for transport layer information (like whether the packet is TCP or UDP) at the point that is “header length” away from the start of the IP header

• As currently implemented, when the router looks at the IPv6 packet, it tries to characterize the packet by looking in the default next header field.

12

IPv6 Fragmented vs. Unfragmented Datagram

Unfragmented Fragmented

13

IPv6 Fragmented vs. Unfragmented Datagram

Unfragmented Fragmented

14

IPv6 Fragmented vs. Unfragmented Datagram

Unfragmented Fragmented

15

What caused the fragmentation

• The default setting in iperf for datagram size is 1470 bytes.

• Given typical Ethernet network with 1500-byte MTUs, IPv6 packets will fragment 1470-byte datagrams, whereas IPv4 packets will not• IPv4 IP Header + UDP header + 1470 < 1500

• IPv6 IP Header + UDP header + 1470 > 1500

16

2nd and subsequent packets

• The second and subsequent packets of fragmented datagrams don’t contain any transport header information.

• This is true for both IPv6 and IPv4

17

IPv4 and IP Options

• A similar problem can occur with the IP options field in IPv4 and the location of the transport layer header is moved deeper into the packet

• Routers tend to drop packets with IP options and developers have been sensitized to avoid making use of IP options in their applications.

18

Software Suggestions

• Unless testing network performance with fragmented IPv6 packets, don’t send UDP packets that must be fragmented• For iperf udp packets, largest datagram size

should be 1450 bytes (-l option). This is actually suggested deep in the iperf documentation.

• We propose that iperf default IPv6 UDP datagram size be changed from 1470 to 1450 bytes

• Actually, the packet size should be automatically computed to avoid/prevent fragmentation.

19

Implications & Security Risks

• Many high-throughput WAN routers may not figure out layer 3 or 4 header details if there are any extension headers

• Those routers that do extension header analysis may suffer performance hits

• Filtering on layer 3 or 4 header details could be hit or miss• Avoid filters/acls that filter layer 3/4 detail

and where final option is “allow any”

20

Unanswered Questions

• How do various router platforms handle this?

• How hard a problem is this to solve?• At what speed does it become

impossible to evaluate extension headers?

21

Summary

• With IPv6 extension headers, it is trivial to defeat router level 3/4 filters with “allow any” type filters.

• Evaluating level 3/4 headers with extension headers at high speed is hard

• Avoid sending datagrams which are likely to be fragmented or use other extension headers

• This is one of those bumps in the road to IPv6.

22

Acknowledgements

• Ben Eater, Juniper Networks• Tony Hain, Cisco• Jim Ferguson, NLANR• Bill Owens, NYSERnet• Internet2:

• Charles Yun• Matt Zekauskas• Richard Carlson

23